A little more than three weeks after announcing it had added role management to its identity management offerings, CA (NASDAQ: CA) has unveiled several products focused around that issue as well as the bigger one of governance, risk and compliance (GRC).

Here's why: The easiest compliance breach to spot, and the one that occurs most frequently, is when users either retain access rights they shouldn't have or were given those rights by mistake.

Correcting that is simple in theory: Identify the users, figure out what access rights they should have according to their roles in the organization and ensure they only have those rights.

Add process and policy management, and automation to the mix, and you should, in theory, have a pretty secure organization with minimum danger of compliance breaches.

CA added role management to its offerings May 14, when it agreed to resell Eurekify's Enterprise Role Manager.

It has now unveiled three identity and access management products: CA Identity Manager, CA Access Control and Security Compliance Manager.

"These are three of many products around identity and access management, and all have compliance features built in so you have basic controls in place," Lina Liberti, CA's vice president of security management, told InternetNews.com.

"Here in the United States people are just trying to get to creating a repeatable, sustainable process to get the cost out of compliance."

The tools will automate what basically is a manual process, where companies ensure users only have the access appropriate to their jobs and their managers certify they have that access.

They are among eight new and updated tools CA has just unveiled. Together with the other five tools, they will "help enterprises improve compliance initiatives or lower costs by automating compliance management, creating online workflow and tying in to remediation," Liberti said.

Identity is key for IT GRC because "access control is one of the primary foci for IT governance," Scott Crawford, Enterprise Management Associates' research director, told InternetNews.com.

"Correlating individuals' roles to their jobs has become more of an issue in the enterprise over the past couple of years, and auditors pick on this because they can get to it very quickly," Crawford said.

One auditor told him that "43 percent of the staff in a 5,000-person business has overbroad entitlements or entitlements that should have been retired," Crawford added.

The problem is partially one of nomenclature. "A lot of enterprises have deep, detailed IT entitlements and face the challenge of rolling them up and giving them a role name recognized by the business side," Mark McClain, CEO and founder of SailPoint Technologies told InternetNews.com.
SailPoint is a player across the spectrum of identity GRC.

Once that's done, the roles can be used in compliance management.

The next wave of GRC products "will be in the identity GRC space -- how to do GRC around all this identity you have in the enterprise," McClain said.

In the past few years, access control efforts have focused on provisioning, or providing users with a corporate identity and ancillary services, rather than deprovisioning, and "role management like Eurekify is where we see a lot of motion around this," Crawford said.

In terms of its GRC products, CA is behind the pure IT GRC players such as Agiliance and Archer that "have already been carving out leadership in this space for two to three years," but not doing too badly compared to other major players, who "have not focused so much on IT GRC," Crawford said.

He listed CA's competitors in this space as primarily Symantec (NASDAQ: SYMC), with its 2005 acquisition of BindView, which provides agentless IT security compliance software, and IBM (NYSE: IBM), which "has a very broad portfolio they can position around IT governance, risk and compliance."

The issue with GRC is that it's "a combination of management in multiple domains on the one hand, and process in terms of tying things together in coherent fashion on the other," Crawford said. He expects CA "to make a favorable showing."